The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the finance industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the finance industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the finance industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.
OBSERVED ATTACK CAMPAIGNS
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
PHISHING
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
RANSOMWARE
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs. While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Finance organizations featured in 20 out of the 23 observed campaigns, which is a presence in 87% of campaigns
Observed Campaigns per Month
The monthly chart shows a large spike in December, after a period of generally low campaign detections in September and October.
Suspected Threat Actors
Suspected threat actors are divided between nation-state and financially motivated APTs.
GEOGRAPHICAL DISTRIBUTION
Victims of the observed attack campaigns were recorded in 28 different countries, split between Chinese and Russian national interests and with a notably growing numbers in the APAC region.
TOP ATTACKED TECHNOLOGY
Attack campaigns focused on attacking web applications, operating system, cloud and infrastructure.
Risk Level Indicator: High
In December, a notable increase in monthly cyber activity was recorded, attributed in part to four campaigns (UNC071, UNC072, UNC073, and UNC074), conducted by unidentified threat actors. These campaigns utilized common tactics, techniques, and procedures (TTPs) and focused on countries in the Asia-Pacific (APAC) region and the United States. Simultaneously, there was a rise in Chinese cyber activity, particularly associated with the Mustang Panda Advanced Persistent Threat (APT).
Beyond the Mustang Panda APT, other suspected threat actors include Stone Panda and HAFNIUM from China. Russian threat actor (TA) activity included the Gamaredon group, along with the familiar presence of TA505, FIN7, FIN11, and blurred activity lines with Cozy and Fancy Bear.
In terms of geographical impact, the United States and Japan were the most targeted regions, closely followed by South Korea, India, and Australia. Southeast Asia also experienced an increase in attack volumes, a trend previously associated with the Lazarus Group’s heightened activity, particularly targeting financial institutions in the Asia-Pacific region. However, the primary driver of this surge is now attributed to Chinese nation-sponsored activity.
Web applications maintained their status as the most frequently targeted technology across various industries, with operating systems following closely in terms of susceptibility. Additionally, there were instances of cyberattacks targeting infrastructure and cloud services.
Over the past 3 months, CYFIRMA’s telemetry recorded 16,062 phishing campaigns out of a total of 325,155 that impersonated the finance industry brands, which accounts for 4.9% of all campaigns.
Global Distribution of Phishing Themes per Sector
Top Impersonated Brands
Interestingly French financial institutions are taking the top 2 places with Indonesian DANA platform at 3rd place. Moreover, nearly every nation’s bank is among 247 observed institutions adding up to nearly 5,000, outside the top 25.
Top Countries of Origin based on ASN
Despite US banks and institutions being a minority of the impersonated brands, most of the campaigns have ASN origin in the US.
Risk Level Indicator: High
The finance industry has historically been amongst the most popular phishing lures, due to the direct way to monetize successful attacks.
Our observations have documented impersonation attempts against 247 distinct financial organizations. This reflects a growing trend of increased lower-tier cybercriminal activity, beyond the United States and other developed economies.
Crédit Agricole and Société Générale, the second and third-largest French banks, have emerged as the most impersonated financial entities, likely owing to their extensive retail presence across continents. Despite dropping to the third position since the last quarter, the Indonesian financial platform; DANA, remains a significant target for impersonation. Notably, there is a discernible increase in fraudulent activities aimed at Latin America, tailored to specific regions and countries.
Interestingly, our ASN Origin-based telemetry data indicates that a significant number of phishing campaigns originate from within the United States. This suggests international cybercrime gangs are behind these campaigns, with a portion conducted by local cybercriminal entities.
In the past 90 days, CYFIRMA has identified 151 verified ransomware victims within the finance industry sectors. This accounts for 12.3% of the overall total of 1,223 ransomware incidents during the same period.
The Monthly Activity Chart
Monthly trends show consistently high numbers across months with a slightly downwards trend.
Breakdown of Monthly Activity by Gangs
A breakdown of the monthly activity provides insights into per-group activity. For example, Blackbasta has been active across all months, whereas LockBit3 recorded the most victims in November.
Ransomware Victims in Finance Industry per Group
In total 30 out of 49 groups recorded finance organization victims in the past 90 days. The top 3 are responsible for half of them.
Comparison to All Ransomware Victims by Group
Compared to all recorded victims in the same time period, Blackbasta gang records a comparatively high number of victims in this industry, suggesting a focused interest on the finance organizations.
Geographic Distribution Of Victims
The heatmap of geographic distribution shows truly a global reach of ransomware
Total Victims per Country
In total 37 countries recorded ransomware victims with the US alone accounting for ~43% of all.
Sectors Distribution
Listing consolidated sectors matched under the finance industry umbrella shows financial services, finance/legal consulting and IT services such as finance software as the most attacked sectors.
Risk Level Indicator: High
Monthly activity consistently reveals a notable volume of cyber-attacks, with a slight downward trend. A closer examination of the groups responsible for these attacks underscores Blackbasta’s sustained activity over months, followed by LockBit3, Akira, and ALPHV. Each of these groups maintained consistent attack levels, albeit with occasional spikes occurring in different months.
Out of the 47 active gangs in the past 90 days, 30 have directed their efforts towards the finance sector. Blackbasta, in particular, has exhibited a heightened focus on financial organizations, with 36% of all their victims belonging to this industry. Conversely, groups like Play or 8base have displayed diminished interest in the finance sector, compared to their total number of victims over the same period. The data on the total number of victims per group emphasizes the dominance of major ransomware gangs, with the top three accounting for over half of all victims.
Among the victims located in 37 different countries, the United States emerges as the most affected, with 64 victims, followed by the UK and Canada. The United States maintains its status as the most targeted country across various industries, owing to its extensive economy and diverse financial landscape. Notably, in the finance sector, emerging economies with rapidly growing financial institutions and high levels of digitalization are gradually ascending on ransomware victim lists.
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.
In the external threat landscape of the finance industry, we’ve consistently observed a high risk across monitored categories. The finance sector, traditionally providing a direct path for monetizing cyber-attacks, attracts cybercriminals of all skill levels.
Ransomware remains a significant threat, with finance organizations constituting over 12% of all victims in the last 90 days. Notably, data reveals that within the same period, 36% of Blackbasta’s victims belong to this industry, indicating a concentrated focus.
Phishing campaigns also continue to pose a substantial risk, with a noteworthy shift towards non-English-speaking organizations and victims. Notably, financial institutions in France, Indonesia, and Latin America are prominent among the top impersonated brands.
The observed Advanced Persistent Threat (APT) campaigns exhibit a relatively even distribution between financially motivated threat actors from Russia and state-sponsored groups from China. A spike in activity was observed in December, attributed to four campaigns with yet unattributed threat actors employing common tactics, techniques, and procedures (TTPs) and targeting the Asia-Pacific (APAC) region.